Debugging the Tech Industry’s “Bug Bounty” Programs

To avoid notifying consumers of a data breach, Uber disguised an extortion payment to a hacker as a prize for discovering a “bug” in its code. Now lawmakers are looking to prevent bug bounties from being hijacked in the future.

Uber's John Flynn testifying at a Senate committee hearing on Tuesday
AP Photo/Susan Walsh
Brendan Bordelon
Add to Briefcase
Brendan Bordelon
Feb. 6, 2018, 8 p.m.

Over the last five years, an unlikely romance has bloomed between hackers and top-tier tech companies.

Instead of using their powers for evil, some “white-hat” hackers have offered to find a corporation’s network vulnerabilities and, for a fee, disclose them to the owners. Although initially wary, thousands of companies have now created “bug bounty” programs, through which they pay hackers prize money for discovering and disclosing “bugs” in their systems.

Until recently, most observers saw bug-bounty programs as an unalloyed good—a way to enhance corporate cybersecurity while simultaneously turning talented hackers away from a life of crime and punishment.

But that was before Uber Technologies’ belated disclosure of a November 2016 data breach that saw the theft of data from 57 million users, including 25 million Americans, and 600,000 U.S. driver-license numbers. In an apparent ploy to avoid disclosing the theft, Uber chose to instead pay a $100,000 ransom to the two hackers under the auspices of a bug-bounty program it first enacted earlier that year.

The breach was not disclosed to consumers or law enforcement until November 2017, one year after the incident and several months after new management had taken over at Uber. Several states have opened investigations into whether the lack of disclosure violated state data-breach-notification laws, but the federal role in the controversy has so far been unclear.

Now the Senate is looking to change that. Sen. Jerry Moran, the chairman of the Senate Commerce Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security, convened a hearing on Tuesday to discuss ways to prevent the hijacking of bug-bounty programs for nefarious purposes. And all options—from federal breach-notification requirements to hard limits on bug-bounty pricing and the preemption of a patchwork of state notification laws—appear to be on the table.

In the ride-sharing company’s first public admission of fault, John Flynn, Uber’s new information-security officer, told the Senate panel there was “no justification” for his company’s behavior. “We recognize that the bug-bounty program is not an appropriate vehicle for dealing with intruders who seek to extort funds from the company,” Flynn said.

Flynn added that the actual theft of data distinguished this case from a typical bug bounty, in which hackers would merely identify a vulnerability without subsequently exploiting it.

Those in the bug-bounty industry, however, worry that the damage has already been done. Casey Ellis, the founder and chief technology officer of Bugcrowd, said the Uber incident has reawakened mutual suspicions between tech companies and hackers.

“This concept of, ‘Well, are bug bounties basically just extortion that happens on a more controlled level? Is this essentially money laundering, like hush money for hackers?’—it’s almost like the mud in the water started to settle, and this whole thing has stirred that mud back up,” Ellis said. “So that’s the part that I’ve found really frustrating.”

Ellis cautioned lawmakers against a knee-jerk reaction, warning that new rules could prove “onerously restrictive on the benefits of interacting with the hacker community, whilst sort of ignoring the fact that the bad guys don’t read the law.”

But Moran all but promised legislation to prevent another incident of extortion masquerading as a bug-bounty payout. “There is a lot of interest in legislation, [and] there has been for a while,” Moran told reporters after the hearing.

Democratic Sens. Bill Nelson and Richard Blumenthal also touted their own bill, the Data Security and Breach Notification Act, as a vehicle to greater accountability. Among other provisions, their bill would empower the Federal Trade Commission to take greater steps to enforce federal bug-bounty standards.

Observers see two potential problems with bug-bounty programs as they’re currently constituted. One is the corporate confusion over whether a breach stemming from a bug-bounty program should be disclosed, and to whom.

“If lots of personal information of customers or employees is accessed, that’s going to almost certainly trigger some regulatory notification obligation,” said Avi Gesser, a cybersecurity lawyer at Davis Polk. “And you usually can’t make that go away by just dealing with the person who hacked you—even if you don’t call it a hack.”

Uber’s Flynn seemed eager to admit his company’s mistake in failing to notify consumers and law enforcement. He pledged to work with lawmakers to create new notification requirements and supported the preemption of a “patchwork” of state notification laws with a federal framework.

The other issue relates to the often flexible pricing of bug bounties. Reports indicate that Uber initially sought to pay the hackers the standard $10,000 bug-bounty fee for their find, only to have that offer rebuffed in favor of a $100,000 payment. Experts say that type of haggling isn’t unusual in the bug-bounty world—but it can be destructive.

“Why would a hacker turn in a bug and follow the rules for $10,000 when the term ‘bug bounty’ has been muddied to include downloading 57 million records and getting paid $100,000 for that data theft?” asked Katie Moussouris, the chief executive of Luta Security, who testified on Tuesday. “I think that is a line that should be very, very clear that bounties should not be negotiable in that way.”

But Flynn seemed less eager to support a hard price cap on bug bounties. The Uber executive deflected when Sen. Blumenthal asked him if he’d support nonnegotiable and clearly defined terms for any vulnerability brought to his company’s attention, instead saying it’s important for companies to have procedures in place after the fact.

Moran couldn’t say when bug-bounty legislation is coming down the pike. But he hinted that it could be wrapped in a broader data-security bill, and would almost certainly include new breach-notification requirements for bug bounties gone wrong.

“I think there is a role for the law to play in finding the right parameters for this activity,” he told reporters after the hearing.

What We're Following See More »
CONGRESS GENERALLY HASN'T PLAYED ALONG
Trump Demands 5% Cuts from Cabinet Agencies
9 hours ago
THE LATEST

"President Trump on Wednesday ordered Cabinet secretaries to develop a plan to cut 5 percent of their agencies’ budgets, saying the reductions would 'get rid of the fat' in the federal government. Trump made the request at a Cabinet meeting, saying that spending increases in his first two years were necessary to build up the military and achieve other goals. In reality, Trump has called for dramatic spending reductions at most federal agencies in both of his budget proposals. Congress has declined to go along with those proposals."

Source:
COAL POWER PLANTS SHUT OR WERE CONVERTED
Greenhouse Gas Emissions Fell in 2017
10 hours ago
THE LATEST

"Greenhouse gases emissions from the largest U.S. industrial plants fell 2.7 percent in 2017, the Trump administration said, as coal plants shut and as that industry competes with cheap natural gas and solar and wind power that emit less pollution." Emissions fell 2 percent the year before.

Source:
SCENE APPEARED TO HAVE BEEN CLEANED, SANITIZED
Turks Say They Found Evidence that Khashoggi Was Killed in Embassy
1 days ago
THE LATEST
SAYS MBS CAN NEVER BE A WORLD LEADER
Graham Threatens Sanctions on Saudi Arabia
1 days ago
THE LATEST

“I’m not going back to Saudi Arabia as long as" Mohammed Bin Salman is in charge, Sen. Lindsey Graham said on Fox News today. “I’ve been their biggest defender on the floor of the United States Senate. This guy is a wrecking ball. He had [Khashoggi] murdered in a consulate in Turkey and to expect me to ignore it, I feel used and abused. The MBS figure is to me toxic, he can never be a world leader on the world stage.” Graham added that he intends to "sanction the hell out of Saudi Arabia.”

Source:
INTERROGATION GONE WRONG
Report: Saudis Planning to Admit to Khashoggi Killing
2 days ago
THE LATEST
×
×

Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.

Login